Strange request from .MIL address?

This is probably a red herring, but I noticed this in my pihole logs today… Can’t quite figure out how this could happen. It all started tonight right after I upgraded pihole. The meraki.com is my Cisco Meraki wireless router, but that is not it’s IP address. Everything is on a 192.168.1.0/24 subnet.

Jan 3 21:38:56 dnsmasq[1395]: query[AAAA] yahoo.com from 6.111.53.76
Jan 3 21:41:29 dnsmasq[3166]: query[AAAA] meraki.com from 6.111.53.76
Jan 3 21:44:02 dnsmasq[4898]: query[AAAA] google.com from 6.111.53.76
Jan 3 21:46:35 dnsmasq[4898]: query[AAAA] yahoo.com from 6.111.53.76
Jan 3 21:49:08 dnsmasq[4898]: query[AAAA] meraki.com from 6.111.53.76
Jan 3 21:51:41 dnsmasq[5685]: query[AAAA] google.com from 6.111.53.76
Jan 3 21:54:14 dnsmasq[8832]: query[AAAA] yahoo.com from 6.111.53.76
Jan 3 21:56:47 dnsmasq[8832]: query[AAAA] meraki.com from 6.111.53.76
Jan 3 21:59:19 dnsmasq[8832]: query[AAAA] google.com from 6.111.53.76

The whois record is:

NetRange: 6.0.0.0 - 6.255.255.255
CIDR: 6.0.0.0/8
NetName: CONUS-YPG-NET
NetHandle: NET-6-0-0-0-1
Parent: ()
NetType: Direct Allocation
OriginAS:
Organization: Headquarters, USAISC (HEADQU-3)
RegDate: 1994-02-01
Updated: 2011-02-24
Ref: https://whois.arin.net/rest/net/NET-6-0-0-0-1

OrgName: Headquarters, USAISC
OrgId: HEADQU-3
Address: NETC-ANC CONUS TNOSC
City: Fort Huachuca
StateProv: AZ
PostalCode: 85613
Country: US
RegDate: 1990-03-26
Updated: 2011-08-17
Ref: https://whois.arin.net/rest/org/HEADQU-3

So lets say that is the address that did a query to your pihole - so your saying your pihole is open to the public internet?

Prob not the best idea if you ask me, since now you could be used as amplification attack…

Oh god no… My pihole is on my 192.168.1.x subnet as well.

Can you run pihole -d and get us the debug token please?

Sure thing… I have disabled IPv6 though to see if I can trigger an error in the log… here is the pihole -d

(I’m sure this is just a strange fluke)

Your debug token is : ey4g60pub0

These requests are not in your debug log.

How is that exactly?? So either you have a public IP hitting your pihole from the internet, that it shouldn’t be able to do as you stated. Or you have some box on your network using/spoofing to public rfc1918 space. That its owned by the dod really has nothing to do with the problem your asking about.

Or pihole is logging stuff wrong - all of which seem like stuff you should look into the root cause of :wink:

But where exactly did you see these? Since it seems DL6ER says they are not in your log??

I did not see them in his debug log. However, the debugger does only upload the queries during the time of running the debugger (maybe only a few seconds, we don’t see what was logged before).

Right… Don’t waste anymore time on it… I’ll keep debugging. It’s got to be something with dnsmasq logging the wrong IP or something. I’m pretty sure the request is coming from my wireless meraki router, as it is also querying google.com and meraki.com (probably an internet-is-up check).

I may reenable ipv6 later to see if I can get it to show up… I can’t reproduce it on demand from the meraki router

Well, I reenabled ipv6, and rebooted the pihole, and sure enough, the meraki router did it’s normal health check and it logged it as the 6.111 address…

Jan 4 10:09:53 dnsmasq[530]: query[AAAA] meraki.com from 6.111.53.76
Jan 4 10:09:53 dnsmasq[530]: forwarded meraki.com to 208.67.220.220
Jan 4 10:09:53 dnsmasq[530]: forwarded meraki.com to 208.67.222.222

Then I ran a tcpdump and caught this

pi@raspberrypi:/var/log $ sudo tcpdump host 6.111.53.76
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wlan0, link-type EN10MB (Ethernet), capture size 262144 bytes
10:12:25.907960 IP 6.111.53.76.43848 > raspberrypi.domain: 61213+ AAAA? google.com. (28)
10:12:25.937164 IP raspberrypi.domain > 6.111.53.76.43848: 61213 1/0/0 AAAA 2607:f8b0:4004:808::200e (56)
10:12:25.941215 IP 6.111.53.76 > raspberrypi: ICMP 6.111.53.76 udp port 43848 unreachable, length 92

And
pi@raspberrypi:/var/log $ ping 6.111.53.76
PING 6.111.53.76 (6.111.53.76) 56(84) bytes of data.
64 bytes from 6.111.53.76: icmp_seq=1 ttl=64 time=4.65 ms
64 bytes from 6.111.53.76: icmp_seq=2 ttl=64 time=7.35 ms

So yea… the Meraki router itself is answering this address

pi@raspberrypi:/var/log $ sudo nmap -v -T4 -A 6.111.53.76

Starting Nmap 6.47 ( http://nmap.org ) at 2017-01-04 10:23 EST
NSE: Loaded 118 scripts for scanning.
NSE: Script Pre-scanning.
Initiating Ping Scan at 10:23
Scanning 6.111.53.76 [4 ports]
Completed Ping Scan at 10:23, 0.25s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 10:23
Completed Parallel DNS resolution of 1 host. at 10:23, 0.01s elapsed
Initiating SYN Stealth Scan at 10:23
Scanning 6.111.53.76 [1000 ports]
Discovered open port 53/tcp on 6.111.53.76
Discovered open port 80/tcp on 6.111.53.76
Discovered open port 81/tcp on 6.111.53.76
Completed SYN Stealth Scan at 10:23, 30.25s elapsed (1000 total ports)
Initiating Service scan at 10:23
Scanning 3 services on 6.111.53.76
Completed Service scan at 10:25, 76.99s elapsed (3 services on 1 host)
Initiating OS detection (try #1) against 6.111.53.76
Retrying OS detection (try #2) against 6.111.53.76
Initiating Traceroute at 10:25
Completed Traceroute at 10:25, 0.02s elapsed
Initiating Parallel DNS resolution of 1 host. at 10:25
Completed Parallel DNS resolution of 1 host. at 10:25, 0.01s elapsed
NSE: Script scanning 6.111.53.76.
Initiating NSE at 10:25
Completed NSE at 10:25, 30.07s elapsed
Nmap scan report for 6.111.53.76
Host is up (0.0087s latency).
Not shown: 846 filtered ports, 151 closed ports
PORT   STATE SERVICE    VERSION
53/tcp open  domain     dnsmasq 2.75
| dns-nsid: 
|_  bind.version: dnsmasq-2.75
80/tcp open  http       lighttpd 1.4.39
|_http-favicon: Unknown favicon MD5: CF27085D23111901C4846512553EB965
|_http-methods: OPTIONS GET HEAD POST
|_http-title: Site doesn't have a title (text/html).
81/tcp open  hosts2-ns?
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port81-TCP:V=6.47%I=7%D=1/4%Time=586D1385%P=arm-unknown-linux-gnueabihf
SF:%r(GetRequest,10E,"HTTP/1\.1\x20404\x20Not\x20Found\r\nContent-Type:\x2
SF:0text/html\r\nConnection:\x20close\r\nDate:\x20Wed,\x2004\x20Jan\x20201
SF:7\x2015:24:13\x20GMT\r\nContent-Length:\x20142\r\n\r\n<html><head><titl
SF:e>404\x20Not\x20Found</title></head><body><h1>Not\x20Found</h1><p>The\x
SF:20requested\x20URL\x20/\x20was\x20not\x20found\x20on\x20this\x20server\
SF:.</p></body></html>\n")%r(HTTPOptions,EC,"HTTP/1\.1\x20501\x20Not\x20Im
SF:plemented\r\nContent-Type:\x20text/html\r\nConnection:\x20close\r\nDate
SF::\x20Wed,\x2004\x20Jan\x202017\x2015:24:13\x20GMT\r\nContent-Length:\x2
SF:0102\r\n\r\n<HTML><HEAD>\n<TITLE>501\x20Not\x20Implemented</TITLE>\n</H
SF:EAD><BODY>\n<H1>Not\x20Implemented</H1>\n</BODY></HTML>\n")%r(FourOhFou
SF:rRequest,131,"HTTP/1\.1\x20404\x20Not\x20Found\r\nContent-Type:\x20text
SF:/html\r\nConnection:\x20close\r\nDate:\x20Wed,\x2004\x20Jan\x202017\x20
SF:15:24:18\x20GMT\r\nContent-Length:\x20177\r\n\r\n<html><head><title>404
SF:\x20Not\x20Found</title></head><body><h1>Not\x20Found</h1><p>The\x20req
SF:uested\x20URL\x20/nice%20ports%2C/Tri%6Eity\.txt%2ebak\x20was\x20not\x2
SF:0found\x20on\x20this\x20server\.</p></body></html>\n")%r(GenericLines,D
SF:F,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/html\r\n
SF:Connection:\x20close\r\nDate:\x20Wed,\x2004\x20Jan\x202017\x2015:24:18\
SF:x20GMT\r\nContent-Length:\x2094\r\n\r\n<HTML><HEAD>\n<TITLE>400\x20Bad\
SF:x20Request</TITLE>\n</HEAD><BODY>\n<H1>Bad\x20Request</H1>\n</BODY></HT
SF:ML>\n")%r(RTSPRequest,DF,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent
SF:-Type:\x20text/html\r\nConnection:\x20close\r\nDate:\x20Wed,\x2004\x20J
SF:an\x202017\x2015:24:18\x20GMT\r\nContent-Length:\x2094\r\n\r\n<HTML><HE
SF:AD>\n<TITLE>400\x20Bad\x20Request</TITLE>\n</HEAD><BODY>\n<H1>Bad\x20Re
SF:quest</H1>\n</BODY></HTML>\n")%r(Help,DF,"HTTP/1\.1\x20400\x20Bad\x20Re
SF:quest\r\nContent-Type:\x20text/html\r\nConnection:\x20close\r\nDate:\x2
SF:0Wed,\x2004\x20Jan\x202017\x2015:24:28\x20GMT\r\nContent-Length:\x2094\
SF:r\n\r\n<HTML><HEAD>\n<TITLE>400\x20Bad\x20Request</TITLE>\n</HEAD><BODY
SF:>\n<H1>Bad\x20Request</H1>\n</BODY></HTML>\n");
Device type: general purpose|broadband router
Running (JUST GUESSING): Linux 2.6.X|3.X (95%)
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
Aggressive OS guesses: Linux 2.6.32 - 3.10 (95%), Linux 3.2 - 3.8 (94%), Linux 2.6.32 (94%), Linux 3.8 (94%), Linux 2.6.32 - 2.6.39 (91%), Linux 3.2 - 3.10 (91%), Linux 3.11 - 3.14 (90%), Linux 2.6.26 - 2.6.35 (89%), 2.6.32 (89%), Linux 3.11 - 3.13 (89%)
No exact OS matches for host (test conditions non-ideal).
Uptime guess: 6.888 days (since Wed Dec 28 13:06:18 2016)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=262 (Good luck!)
IP ID Sequence Generation: All zeros

TRACEROUTE (using port 21/tcp)
HOP RTT      ADDRESS
1   16.39 ms 6.111.53.76

NSE: Script Post-scanning.
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 150.41 seconds
           Raw packets sent: 2859 (130.764KB) | Rcvd: 275 (13.324KB)

So yea… We can close this topic. I’m going to take my info over to the Meraki support and see why that guy likes to use that IP address. :slight_smile:

I know this is almost 2 years old at this point but I have 4 Meraki MX devices doing the exact same thing and I’m not sure where to turn. What did Meraki ultimately tell you? I have a case open right now and I’m waiting for a reply. All of the addresses I’m getting are in the 6.15.x.x scope. Still points to Ft. Huachuca though.